BIPI
BIPI

Reading a Bug Bounty Scope: Hidden Wins, OOS Traps, Acquisitions

Cybersecurity

Scope pages decide whether your report pays or gets closed N/A. Learn how to read them for hidden wins, out of scope traps, and acquisition coverage.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 27, 2023 · 8 min read

#bug-bounty#scope#hackerone#bugcrowd#policy

Read before you hunt

Every hour spent reading the scope page saves five hours of wasted testing and ten hours of arguing with triage. The scope is not a formality. It is the rulebook that decides whether your work earns a payout.

What to extract on first pass

  • Exact in scope asset patterns, including wildcard rules
  • Out of scope hosts and entire domains, common in HackerOne pages
  • Out of scope vulnerability classes, often missed by hunters
  • Rules on automation, rate limiting, and tool usage
  • Disclosure rules and time windows

Copy these into your notes file for the target. Refer back to it whenever you find something near a boundary.

Hidden wins to look for

  1. Wildcard scopes that include acquired companies
  2. Cloud assets covered implicitly via the org domain
  3. Mobile app scopes that point at API endpoints reusable from web
  4. Bonus payouts for chained vulns or specific classes

Acquisitions coverage

Some programs cover all subsidiaries by default. Others list them explicitly. A few exclude acquisitions until N months after closing. Read the clause carefully and document your interpretation in the report when relevant.

Common policy traps

  • Self XSS, missing rate limits, and clickjacking often excluded
  • Reports requiring user interaction sometimes downgraded by default
  • Brute force on login excluded unless impact is demonstrable
  • Bugs in third party software excluded unless they affect the target

Scope as a planning tool

Pre hunt
scope read mandatory
Weekly
recheck for changes
Per report
quote relevant clauses

Watch for updates

Programs update scope pages. New assets get added. Reward tables change. Subscribe to update notifications where available. Hunters who see a scope expansion first often file the easy wins on freshly added hosts.

Scope reading is bug bounty's most underrated skill. The hunters who win are the ones who turn the policy page into a checklist.

Negotiate cleanly when borderline

When a finding sits on a scope boundary, write the report anyway. Quote the policy, explain why you believe it is in scope, and let the program decide. Polite, well argued borderline reports build trust over time. Loud complaints do the opposite.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.